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(54) Method and system of enforcing the dispatching of IP datagrams on a plurality of servers 
according to a defined policy 



(57) A method and a system, in a network device. 
. of enforcing the dispatching of Internet Protocol (IP) da- 
tagrams on a plurality of servers (503) according to a 
defined policy, each IP datagram being sent from a 
source port on a source device to a destination port on 
a destination device in an Intranet network (502) com- 
prising a plurality of servers (503) and at least one client 
(501 ). The method comprises the steps of: 

• determining (804, 806) whether the source device 
of an incoming IP datagram is a client (501) or a 
server (503); 

If (805) the source device of the IP datagram is a client 
(501): 

• identifying (803, 904): client address (310), client 
port (312), destination address (311), and destina- 
tion port (313) of the IP Datagram (301); 

• searching (906) for a server address and a server 
port in a first table (612), this first table comprising 
a server address (61 8) and a server port (617) for 
each connection (61 3) identified by a client address 
(614), a client port (615), a destination address 
(616) and a destination port (617); 

if a server address and a server port are identified in 
said first table, and If said server address and the des- 
tination address are different or if said server port and 
the destination port are different: 

• replacing (907) the destination address (311) and 



the destination port (313) in the IP datagram re- 
spectively by the server address (61 8) and the serv- 
er port (619); 

sending (909) the IP datagram over the IP network 
(502). 



IP Router Providing Web Traffic Policing 




Printed by Jouve, 75001 PARIS (FR) 



BNSDOCID- <EP 1094649A2J_> 



EP 1 094 649 A2 



Description 

Technical field of the invention 

[0001] The present invention relates to computer net- 5 
works, and more particularty to a method and system in 
an Internet Protocol (IP) network of enforcing the dis- 
patching of Internet Protocol (IP) datagrams on a plural- 
ity of servers according to a defined policy. 

10 

Background art 
INTERNET 

[0002] Internet is a global network of computers and ^5 
computers networks (the "Net"). The Internet connects . 
computers that use a variety of different operating sys- 
tems or languages, including UNIX, DOS. Windows. 
[Macintosh, and others. To facilitate and allow the com- 
munication among these various systems and languag- 
es, the Internet uses a language referred to as TCP/IP 
("Transmission Control Protocol/Internet Protocol"). 
TCP/tP protocol supports three basic applications on 
the Internet : 

25 

• transmitting and receiving electronic mail, 
logging into remote computers (the 'Telnet"). and 

• transferring files and programs from one computer 
to another ("FTP" or "File Transfer Protocol"). 

30 

[0003] The TCP/IP protocol suite is named for two of 
the most important protocols: 

• a Transmission Control Protocol (TCP), and 

• an Internet Protocol (IP). ^5 

[0004] Another name for it is the Internet Protocol 
Suite. The more common term TCP/IP is used to refer 
to the entire protocol suite. The first design goal of TCP/ 
IP is to build an interconnection of networks that provide ^o 
universal communication services: an internetwork, or 
internet. Each physical network has its own technology 
dependent communication interface, in the form of a 
programming interface that provides basic communica- 
tion functions running between the physical network and 
the user applications. The architecture of the physical 
networks is hidden from the user. The second goal of 
TCP/IP is to interconnect different physical networks to 
form what appears to the user to be one large network. 
[0005] TCP is a transport layer protocol providing end 50 
to end data transfer. It is responsible for providing a re- 
liable exchange of information between 2 computer sys- 
tems. (Multiple applications can be supported simultane- 
ously over one TCP connection between two computer 
systems. 

[0006] IP is an internetwork layer protocol hiding the 
physical network architecture bellow it. Part of the com- 
municating messages between computers is a routing 
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function that ensures that messages will rectly di- 
ected within the network to be deliverec eir desti- 
nation. IP provides this routing function. A message 
is called an IP Datagram. 

[0007] Application Level protocols are used on top of 
TCP/IP to transfer user and application data from one 
origin computer system to one destination computer 
system. Such Application Level protocols are for in- 
stance File Transfer Protocol (FTP). Telnet. Gopher. Hy- 
per Text Transfer Protocol (HTTP). 

IP ROUTER 

[0008] A "Router" is a computer that interconnects 
two networks and forwards messages from one network 
to the other Routers are able to select the best trans- 
mission path between networks. The basic routing func- 
tion is implemented in the IP layer of the TCP/IP protocol 
stack, so any host (or computer) or workstation running 
TCP/IP over more than one interface could, in theory, 
forward messages between networks. Because IP im- 
plements the basic routing functions, the term "IP Rout- 
er" is often used. However, dedicated network hardware 
devices called "Routers" can provide more sophisticat- 
ed routing functions than the minimum functions imple- 
mented in IP. 

WORLDWIDE WEB 

[0009] With the increasing size and complexity of the 
Internet, tools have been developed to help find infor- 
mation on the network, often called navigators or navi- 
gation systems. Navigation systems that have been de- 
veloped include standards such as Archie. Gopher and 
WAIS. The World Wide Web ("WWW" or "the Web") is 
a recent superior navigation system. The Web is 

• an Internet-based navigation system. 

• an information distribution and management sys- 
tem for the Internet, and 

• a dynamic format for communicating on the Web. 

[0010] The Web seamlessly, for the use, integrates 
format of information, including still images, text, audio 
and video. A user on the Web using a graphical user 
interface ("GUI", pronounced "gooey") may transparent- 
ly communicate with different host computers on the 
system, and different system applications (including 
FTP and Telnet), and different information formats for 
files and documents including, for example, text, sound 
and graphics. 

HYPERMEDIA 

[0011] The Web uses hypertext and hypermedia. Hy- 
pertext is a subset of hypermedia and refers to compu- 
ter-based "documents" in which readers move from one 
place to another in a document, or to another document. 
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in a non-tinear manner. To do this, the Web uses a client- 
server architecture. The Web servers enable the user 
to access hypertext and hypermedia information 
through the Web and the user's computer. (The user's 
computer is referred to as a client computer of the Web 
Server computers.) The clients send requests to the 
Web Servers, which react, search and respond. The 
Web allows client application software to request and 
receive hypemiedia documents (including formatted 
text, audio, video and graphics) with hypertext link ca- 
pabilities to other hypermedia documents, from a Web 
file server. 

The Web, then, can be viewed as a collection of docu- 
ment files residing on Web host computers that are in- 
terconnected by hyperlinks using networking protocols, 
forming a virtual "web" that spans the Internet. 

UNIFORM RESOURCE LOCATORS 

[0012] A resource of the Internet is unambiguously 
identified by an Uniform Resource Locator (URL), which 
is a pointer to a particular resource at a particular loca- 
tion. A URL specifies the protocol used to access a serv- 
er (e.g. HTTP. FTP...), the name of the server, and the 
location of a file on that server. 

HYPER TEXT TRANSFER PROTOCOL 

[0013] Each Web page that appears on client moni- 
tors of the Web may appear as a complex document that 
integrates, for example, text, images, sounds and ani- 
mation. Each such page may also contain hyperlinks to 
other Web documents so that a user at a client computer 
using a mouse may click on icons and may activate hy- 
perlink jumps to a new page (which is a graphical rep- 
resentation of another document file) on the same or a 
different Web server 

[0014] A Web server is a software program on a Web 
host computer that answers requests from Web clients, 
typically over the Internet. All Web use a language or 
protocol to communicate with Web clients which is 
called Hyper Text Transfer Protocol ("HTTP"). All types 
of data can be exchanged among Web servers and cli- 
ents using this protocol. Including Hyper Text Markup 
Language fHTML"). graphics, sound and video. HTML 
describes the layout, contents and hyperlinks of the doc- 
uments and pages. Web clients when browsing : 

• convert user specified commands into HTTP GET 
requests, 

connect to the appropriate Web server to get infor- 
mation, and 

• wait for a response. The response from the server 
can be the requested document or an error mes- 
sage. 

[0015] After the document or an error message is re- 
turned, the connection between the Web client and the 



Web server is closed. 

[0016] First version of HTTP is a stateless protocol. 
That is with HTTP, there is no continuous connection 
between each client and each server The Web client 
5 using HTTP receives a response as HTML data or other 
data. This description applies to version 1.0 of HTTP 
protocol, while the new version 1.1 break this barrier of 
stateless protocol by keeping the connection between 
the server and client alive under certain conditions. 

10. 

BROWSER 

[0017] After receipt, the Web client formats and 
presents the data or activates an ancillary application 
15 such a sound player to present the data. To do this, the 
server or the client determines the various types of data 
received. The Web Client is also referred to as the Web 
Browser, since it in fact browses documents retrieved 
from the Web Server, 

20 

DOMAIN NAMES 

[0018] The host or computers names (like www.entre- 
prise.com) are translated into numeric Internet address- 
es es (like 1 94.56.78.3), and vice versa, by using a method 
called DNS ("Domain Name Service"). DNS is support- 
ed by network-resident servers, also known as domain 
name servers or DNS servers. 



[0019] Some companies use the same mechanism as 
the Web to communicate inside their own corporation. 
In this case, this mechanism is called "Intranet". These 
35 companies use the same networking/transport proto- 
cols and locally based Web servers to provide access 
to vast amount of corporate information in a cohesive 
fashion. As this data may be private to the corporation, 
and because the members of the company still need to 
40 have access to public Web information, they protect the 
access to their network by using a special equipment 
called a Firewall. A Firewall is used to avoid that people 
not belonging to the company can access to the private 
Intranet coming from the public Internet. 

45 

FIREWALL 

[0020] A Firewall protects one or more computers with 
Internet connections from access by external computers 

50 connected to the Internet, A Firewall is a network con- 
figuration, usually created by hardware and software, 
that forms a boundary between networked computers 
within the Firewall from those outside the Firewall. The 
computers within the Firewall form a secure sub-net- 

55 work with internal access capabilities and shared re- 
sources not available from outside computers. 
[0021 J Often, the access to both internal and external 
computers is controlled by a single machine, said ma- 
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Chine comprising the Firewall. Since the computer, on 
which the Firewall is. directly interacts with the Internet, 
strict security measures against unwanted access from 
external computers are required. 
[0022] A Firewall is commonly used to protect infor- 
mation such as electronic mail and data files within a 
physical building or organization site. A Firewall reduces 
the risk of intrusion by unauthorized people from the In- 
ternet. The same security measures can limit or require 
special software for people inside the Firewall who wish 
to access information on the outside. A Firewall can be 
configured using "Proxies" or "Socks" to control the ac- 
cess to information from each.side of the Firewall. 

PROXY SERVER 

[0023] A HTTP Proxy is a special server that allows 
an access to the Internet. It typically runs in conjunction 
with Firewall software. The Proxy Server : 

• waits for a request (for example a HTTP request) 
from inside the Firewall, 

forwards the request to the remote server outside 
the Firewall, 

• reads the response, and 

• sends the response back to the client. 

[0024] A single computer can run multiple servers, 
each server connection identified with a port number. A 
Proxy Server, like an HTTP Server or a FTP Server oc- 
cupies a port. Typically, a connection uses standardized 
port numbers for each protocol (for example. HTTP = 
80 and FTP = 21 ). That is why an end user has to select 
a specific port number for each defined Proxy Server. 
Web Browsers usually let the end user set the host 
name and port number of the Proxy Servers in a cus- 
tomizable panel. Protocols such as HTTP, FTP, Gopher, 
WAIS, and Security can usually have designated Prox- 
ies. Proxies are generally preferred over Socks for their 
ability to perform caching, high-level togging, and ac- 
cess control, because they provide a specific connec- 
tion for each network service protocol. 

HTTP CACHING 

[0025] HTTP is an Application Level protocol used by 
the TCP connections between WEB Browsers and HT- 
TP Proxy Servers. Consequently, IP Datagrams ex- 
changed between the WEB Browsers and HTTP Proxy 
Servers comprises HTTP data. Since HTTP Proxy Serv- 
ers terminate and manage the HTTP connections, they 
see and handle the HTTP data comprised in the IP Da- 
tagrams and they can store a local copy of HTTP data 
in an internal cache. 

[0026] When a HTTP Proxy Server receives from a 
source system (a WEB Browser) a request to retrieve 
HTTP data (a WEB page) located on a destination sys- 
tem (a WEB server), two situations can occurs depend- 
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ing on the requested HTTP data is already stored in the 
local cache, or not. 

• If the requested HTTP data is already located in the 
local cache, the HTTP Proxy Server immediately 
sends a response to the source system with the da- 
ta stored in the cache. 

• If the requested HTTP data is not located in the local 
cache, the HTTP Proxy Server forwards the request 
to the destination WEB system (the WEB server). 
When the HTTP Proxy Server receives from this 
destination WEB system (the WEB Server) the re- 
sponse comprising the HTTP data (the WEB page), 
it caches said HTTP data (the WEB page) in its local 
cache, and forwards the response to the source 
system (the WEB Browser) . 



[0027] When HTTP data are already located within 
20 the cache, the request do not need to be forwarded by 
the HTTP Proxy Server to the destination WEB system. 
A response is immediately returned by the HTTP Proxy 
server. 

[0028] The HTTP Caching provides several advan- 
25 tages: 



The response time of the HTTP service is improved. 
The HTTP Proxy Server immediately answers the 
request to retrieve HTTP data when said HTTP data 
is already stored in the cache of the HTTP Proxy 
Server. 
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• The utililization of network resources is optimized. 
No traffic is required between the HTTP Proxy serv- 
er and the destination WEB system for requested 
HTTP data already stored in the cache. 

SOCKS AND SOCKS SERVER 



40 [0029] Socks is a protocol which does some form of 
encapsulation of Application' Level protocols (for in- 
stance FTP, Telnet, Gopher, HTTP). Using Socks, the 
Application Level traffic between a system running a 
Socks Client software and a system running a Socks 
45 Server software is encapsulated in a virtual Socks tun- 
nel between both systems. Socks is mainly used by sys- 
tems within an Intranet in order to gain a secure access 
to systems located outside the Intranet. 
[0030] A Socks Server acts as a relay between the 
50 systems within the Intranet and the systems outside the 
Intranet, thus hiding the internal systems from the ex- 
ternal Internet. It is considered as one form of Firewall. 
[0031] A Socks Server (also called Socks Gateway) 
is a software that allows computers inside a Firewall to 
55 gain access to the Internet. A Socks Server is usually 
installed on a server positioned either inside or on the 
Firewall. Computers within the Firewall access the 
Socks Server as Socks Clients to reach the Internet. 
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Web Browsers usually let the end user set the host 
name and port number of the Socks Servers in a cus- 
tomizable panel. On some Operating Systems, the 
Socks Server is specified in a separate file (e.g. socks, 
conf file). As the Socks Server acts a layer underneath 5 
the protocols (HTTP. FTP, ..). it cannot cache data (as 
Proxy does), because it doesn't decode the protocol to 
know what kind of data it transfers. 

OPTIONS ^0 

[0032] The Web Browser often proposes the end user 
to select between the different options "No Proxies", 
"Manual Proxy Configuration", or "Automatic Proxy 
Configuration" to designate the connection between his ^5 
computer and the Internet. 

• Users with a direct connection to the Internet should 
use the default option, which is "No Proxies". 

20 

• If the Intranet is protected by one or several Fire- 
walls, the end user may : 

• select one of these Firewalls as the elected 
Proxy, by entering its host name into the "Man- 25 
ual Proxy Configuration", or 

• automatically refers to the enterprise policy in 
terms of Proxies attribution between locations, 

by pointing to a common configuration file in a 30 
remote server. This is done by choosing the 
"Automatic Proxy Configuration" and by provid- 
ing the Web Browser with the unique address 
of the common configuration file ("Universal 
Resource Locator^' or "URL") located in the re- 35 
mote server. 

[0033] Today, most of the Web Browsers are config- 
ured to forward all requests - even requests for internal 
hosts - through the Socks Firewall. So when an end user 40 
wants to access an internal Web-based application, his 
request travels to the Firewall, and is then reflected back 
into the internal network. This mechanism generates in- 
ternal traffic over a long path, puts extra load on the Fire- 
wall and on the network, and worst of all. slows down 
the response time the end user sees from the applica- 
tions and Web pages he tries to access. This is called 
"non flexible" Socks access (when everything goes via 
the Socks Server). 

50 

MANUAL PROXY CONFIGURATION 

[0034] The Manual Proxy configuration in the Web 
Browser is simple to process. However, the main draw- 
back is that the Firewall (or Proxy) selection is static. 55 
There is no dynamic criterion for selecting the Firewall, 
such as selecting the Firewall according to the response 
time. Firewall failures require a manual reconfiguration 



of the navigation software to point to another active Fire- 
wall, since the manual configuration usually only allows 
the definition of one single Firewall per protocol with no 
possibility to pre-configure a backup Firewall. In addition 
to the manual proxy configuration in the Web Browser, 
external procedures can be used to provide some kind 
of robustness in the Firewall selection. They rely for in- 
stance on the use of multiple Firewalls having the same 
name defined as aliases in the Domain Name Server 
(DNS). But this technique based on alias definition still 
has drawbacks since for instance the DNS is not always 
contacted for name resolution (association between 
name and IP address) by Web Clients when said WEB 
Clients locally cache the name resolution. Other tech- 
niques using external hardware equipment such as load 
and request dispatcher provide more robustness and 
load balancing, but still have drawbacks such as the 
need for additional and costly hardware. 

AUTOMATIC PROXY CONFIGURATION 

[0035] Automatic Proxy Configuration (or also re- 
ferred to as "autoproxy") can set the location of the HT- 
TP, FTP, and Gopher Proxy every time the Web Browser 
is started. An autoproxy retrieves a file of address rang- 
es and instructs the Web Browser to either directly ac- 
cess internal IBM hosts or to go to the Socks Server to 
access hosts on the Internet. 

[0036] Automatic Proxy Configuration is more desira- 
ble than simple Proxy Server Configuration in the Web 
Browser, because much more sophisticated rules can 
be implemented about the way Web pages are retrieved 
(directly or indirectly). Automatic Proxy Configuration is 
useful to users, because the Web Browser knows how 
to retrieve pages directly if the Proxy Server fails. Also 
Proxy requests can be directed to another or multiple 
Proxy Servers at the discretion of the system adminis- 
trator, without the end user has to make any additional 
changes to his Web Browser configuration. In general, 
these Proxy configuration files (also called "autoproxy 
code") are usually written in Javascript language. Auto- 
proxy facility can also contain a file of address ranges 
for instructing the Web Browser to either directly access 
internal hosts or to go to the Socks Server to access 
hosts on the Internet. The Socks Server protects the in- 
ternal network from unwanted public access while per- 
mitting access of network members to the Internet. One 
of the drawbacks of this "autoproxy" mechanism is that 
there is no proactive Firewall failure detection nor re- 
sponse time consideration. 

[0037] More explanations about the technical field 
presented in the above sections can be found in the fol- 
lowing publications incorporated herewith by reference: 

• "TCP/IP Tutorial and Technical Overview" by Martin 
W- Murtiammer, Orcun Atakan. Stefan Bretz, Larry 
R. Pugh. Kazunari Suzuki, David H. Wood, Interna- 
tional Technical Support Organization. October 
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1998. GG24-3376-05. 

• "Java Network Programming" by Elliotte Rusty Ha- 
rold, published by O'Reilly. February 1997. 

• "Internet in a nutshell" by Valerie Querela, published 

by O'Reilly, October 1997. 5 

• "Building Internet Firewalls" by Brent Chapman and 
Elizabeth Zwichky. published by O'Reilly Septem- 
ber 1995, 

PROBLEM 10 

[0038] The problem to solve is to police the WEB traf- 
fic within the Intranet. 

[0039] When multiple Proxy Servers are used by 
source devices within the Intranet (for instance worksta- '5 
tions running a WEB Browser software) to get access 
to WEB systems located within the internet, access 
rules are usually defined by the Network Administator. 
The purpose of said access rules is to define the Proxy 
Server that should be used by each source device 
(workstation) or each group of source devices (group of 
workstations) within the Intranet, to get access to WEB 
systems located within the Intranet. For instance, 
source devices located in France should use a Proxy 
Server located in France, while source devices located ^5 
in Germany should use a Proxy Server located in Ger- 
many. 

[0040] Said access rules may be different according 
to the Application Level protocol (ALP). ALP traffic refers 
to IP Datagrams comprising data using said ALP (for 30 
instance, HTTP traffic is referring to all IP Datagrams 
comprising HTTP data). For instance, the access rules 
may stipulate that source devices located in Belgium 
should access one specific Proxy Server located in 
France for HTTP traffic, and should access another spe- 35 
cific Proxy Server located in Belgium for FTP traffic. 
These access rules define a policy for accessing the 
WEB from the Intranet, and are therefore called "WEB 
access policy" or "WEB traffic policy". The main goals 
of said WEB traffic policy are to: 40 

• Optimize the network resources within the Intranet. 
For instance, the specifications and therefore the 
cost of a Proxy Server depend on the number of 
source devices which will have access to it. A Proxy ^5 
Server which will be accessed by 500 source devic- 
es will be smaller and therefore cheaper than a 
Proxy Server which will be accessed by 10000 
source devices. 

50 

• Improve the performances of the WEB access serv- 
ice (access from source devices to WEB systems 
located within the Intranet), For instance, a Proxy 
Server set-up in Francet is configured to provide a 
WEB access service to a specified number of 55 
source devices in France. When more source de- 
vices (for instance source devices located in Bel- 
gium) than expected are accessing said Proxy 



Server, the performance of said Proxy server may 
be degraded and may have an Impact on the WEB 
access service, 

• Optimize the utilisation of network resources, in par- 
ticular, minimize the bandwidth required within the 
Intranet for accessing WEB systems. For instance, 
when a source device located in France wants to 
access a WEB system through a Proxy Server, said 
source device should use a Proxy Server located in 
France instead of a Proxy server located in Japan, 
in order to minimize the path (and consequently to 
minimize the network resources utilization and the 
bandwidth between France and Japan) within the 
Intranet to reach the Proxy server. 

• Take advantage of WEB traffic caching, since Proxy 
Servers usually provide HTTP and FTP caching: 

• The utilisation of the network resources located 
between the Proxy Server and the WEB system 
is optimized. No traffic is required between the 
Proxy Server and the destination WEB system, 
when HTTP data requested by a source device 
is already located withi n the cache of said Proxy 
Server. 

• The response time of the HTTP service is im- 
proved. The requests to retrieve HTTP data al- 
ready located within the cache on the HTTP 
Proxy Server, are immediately satisfied by the 
HTTP Proxy Server. 

[0041] It is generally admitted that an efficient WEB 
Caching must be done as close as possible to source 
devices. Thus, it is important for said source devices to 
have access to a Proxy server located close to them. 
[0042] The problem is to apply the WEB access policy 
within the whole Intranet. For instance, when the WEB 
access policy defines that source devices located In 
France should use one specific Proxy Server located in 
France, the problem is to make sure that said source 
devices actually use said specific Proxy Server and do 
not use instead another Proxy Server (for instance lo- 
cated in Japan). 

[0043]^ The current solutions address this problem 
partially: 

• The WEB Application software (for instance a WEB 
Browser) running on the workstation can be manu- 
ally configured with the target Proxy Servers. The 
main drawback of this solution is the following : 

• Proxy Server names must be known and man- 
ually configured by end users. Wrong Proxy 
Server names may then be entered by end us- 
ers, and the WEB traffic policy is then not ap- 
plied. For instance, an end user located in Tou- 
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louse (France) may manually configure his 
WEB Browser to use a Proxy Server located in 
Paris instead of a Proxy Server located in Tou- 
louse. 

• Web Browsers can be configured with their auto- 
proxy feature. In this case, a static list of target 
Proxy Servers (a WEB traffic policy) is downloaded 
to the WEB Browser from a dedicated autoproxy 
URL (Uniform Resource Locator) system. The main 
drawbacks of this solution are the following: 

• The end user must configure his WEB Browser 
to use the autoproxy feature. If the end user 
does not configure his WEB Browser correctly 
the WEB traffic policy is then not applied. 

• The autoproxy feature has to be implemented 
within the Intranet. For instance, an autoproxy 
code must be implemented on the autoproxy 
URL system. 

Objects of the invention 

[0044] 

• An object of the present invention is to enforce the 
dispatching of Internet Protocol (IP) datagrams on 
a plurality of servers according to a defined policy. 

• It is another object of the present invention to opti- 
mize the performances of the WEB access service, 
by enforcing the source devices to access the Inter- 
net though specific Proxy Servers according to a 
particular WEB traffic policy. 

• It is yet another object of the present invention to 
optimize the utilisation of the Intranet network re- 
sources, by reducing the WEB traffic within the In- 
tranet network. 

• It is a further object of the present invention to sim- 
plify the configuration of the devices source of the 
WEB traffic within the Intranet. 

Summary of the Invention 

[0045] A method and a system, in a network device, 
of enforcing the dispatching of Internet Protocol (IP) da- 
tagrams on a plurality of servers according to a defined 
policy, each IP datagram being sent from a source port 
on a source device to a destination port on a destination 
device in an Intranet network comprising a plurality of 
servers and at least one client. The method comprises 
the steps of: 

• determining whether the source device of an incom- 
ing IP datagram is a client or a server; 



If the source device of the IP datagram is a client: 

• identifying: client address, client port, destination 
address, and destination port of the IP Datagram; 

5 • searching for a server address and a server port in 
a first table, this first table comprising a server ad- 
dress and a server port for each connection identi- 
fied by a client address, a client port, a destination 
address and a destination port; 

10 

if a server address and a server port are identified in 
said first table, and If said server address and the des- 
tination address are different or if said server port and 
the destination port are different: 

15 

• replacing the destination address and the destina- 
tion port in the IP datagram respectively by the serv- 
er address and the server port; 

• sending the IP datagram over the IP network. 

20 

Brief description of the Drawings 

[0046] The novel and inventive features believed 
characteristics of the invention are set forth in the ap- 

25 pended claims. The invention itself, however, as well as 
a preferred mode of use, further objects and advantages 
thereof, will best be understood by reference to the fol- 
lowing detailed description of an illustrative detailed em- 
bodiment v/hen read in conjunction with the accompa- 

30 nying drawings, wherein : 

• Figure 1 is a logical view of an end user system ac- 
cessing the World Wide Web, according to prior art. 

35 • Figure 2 is a general view of an end user system 
accessing the World Wide Web according to prior 
art. 

• Figure 3 shows an IP Datagram according to prior 
40 art. 

• Figure 4 shows an end user workstation with a plu- 
rality of Proxy Servers according to prior art. 

45 • Figure 5 shows a system for policing WEB traffic, 
according to the present invention. 

• Figure 6 shows the tables used by the WEB Traffic 
Policing Extension, according to the present inven- 

50 tion. 

• Figure 7 is a flow chart of the Policing Definition 
Builder component, according to the present inven- 
tion. 

55 

• Figure 8 is a flow chart of the Traffic Analyser com- 
ponent, according to the present invention. 
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• Figure 9 is a flow chart of the Inbound Policing Han- 
dler component, according to the present invention. 

• Figure 10 is a flow chart of the Outbound Policing 
Handler component, according to the present In- 5 
vention. 

• Figure 11 is a flow chart of the Policing Manager 
component, according to the present invention. 

10 

Preferred embodiment of the invention 
ACCESS TO THE WORLD WIDE WEB 
Logical View 

[0047] Figure 1 shows a user system with a user in- 
terface (102) comprising a Web Browser (TOT) for ac- 
cessing the World-Wide-Web (WWW). The WWW con- 
tent is transferred using the HTTP protocol. HTTP re- 
quests and responses are exchanged between the Web 
Browser program (101) and a destination Web Server 
(103) containing the WWW information the user wants 
to access. The Socks Server (104) between the Web 
Browser (101) and the Web Server (1 03) acts as an in- 25 
termediary HTTP Relay forwarding the HTTP requests 
and responses to their destination. The Web Browser 
program (101) makes an HTTP request to the HTTP 
Proxy Server (104) and the HTTP Proxy Server for- 
wards the request to the destination Web Server (1 03). 30 
The flow in the reverse direction (HTTP response) again 
goes via the HTTP Proxy Server (104) to the Web 
Browser (101). In this way the HTTP Proxy Server can 
limit the traffic to authorised transactions according to 
its configuration (based on some defined security and 35 
access control policy). The HTTP Proxy Server hence 
protects the network where Web Browser is located. 

Physical View 

40 

[0048] Figure 2 is a physical view of the set-up logi- 
cally described in Figure 1. In this particular example, 
the Web Browser (201) runs on a system (workstation) 
connected to an Intranet (202) network. The Intranet 
network comprises network devices such as IP Routers ^5 
(206). The Proxy Servers (203) protecting the Intranet 
connect both the (private) Intranet (202) and the (public) 
Internet (204). the destination Web Server (205) is also 
connected to the Internet. It is important to note that 
Proxy Servers attach two networks and hence act as so 
intermediaries for communications between said two 
networks. Multiple Proxy Servers are often used in order 
to provide access robustness and load sharing. 

IP DATAGRAM 55 

[0049] The transfer unit of a data packet in TCP/IP is 
called an IP Datagram. It is made up of a header con- 



taining information for IP protocol and data that is only 
relevant to the higher level protocol. Figure 3 shows the 
format of a IP Datagram, in the environment described 
in Figures 1 and 2: 

• (301) !P Datagram, an IP Datagram is a message 
exchanged between 2 computer systems across a 
TCP/IP network. An IP Datagram is divided in 2 
parts: 

• a Header, and 

• Data. 

• (302) IP Datagram Header, the header comprises 
fields such as: 

• the Source IP Address (310) (the IP address of 
the computer which sends the IP Datagram), 
the Destination IP Address (311) (the IP ad- 
dress of the computer which is the destination 
of the IP Datagram). 

[0050] The IP Datagram Header is mainly used to 
route the IP Datagram to its final destination. 

• (303) fP Datagram Data. This field comprises the 
data sent by the originator to the destination com- 
puter system. The destination computer system 
processes this data. Since the TCP/IP protocol 
suite is organised in layers, the IP Datagram field 
comprises the message relevant to the higher level 
protocol (which is TCP in the environment related 
to the invention). 

• (304) TCP Segment A TCP message is usu- 
ally called TCP Segment. 

• (305) TCP Header. A TCP Header comprises 
fields such as the Source Port (312) and the 
Destination Port (313) which identify the appli- 
cation level protocol 

(e.g. HTTP, FTP, Telnet, Socks) transported by TCP. 
This field is mainly used by the destination of the IP 
Datagram to determine which application must 
process the data transported by TCP. 

• (306) TCP Data. The TCP Data field comprises ap- 
plication data which are sent by the originator to the 
destination computer system. The destination com- 
puter system processes the data. Since the TCP/IP 
protocol suite is organised in layers, the TCP Data 
part comprises the information relevant to the high- 
er level protocol which is the Application level pro- 
tocol (such as HTTP, FTP, Telnet. Socks). 

• (307) Application Levet Message. The TCP 
Data part of the IP Datagram contains an Ap- 
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plication Level Message. This Is for example a 
Socks message, a HTTP message, a FTP mes- 
sage, or a Telnet message. Depending on the 
Application level protocol, this Application Lev- 
el Message can also be split in two parts. 5 

• (308) Application Level Header. The Applica- 
tion Level Header is the header relevant to the 
application protocol such as HTTP, FTP, Telnet. 

10 

• (309) Application Level Data. This is the data 
part which is processed by the application re- 
sponsible of handling the Application Level pro- 
tocol. This is usually the data which is directly 
relevant to the end user (for instance, data en- is 
tered by an end user on his workstation). 

WEB BROWSER AND PROXY SERVER 

[0051 ] Figure 4 shows an end user workstation (401 ) 20 
connected to an Intranet (402). The Proxy Sen/ers (403) 
that protect the Intranet attach both the (private) Intranet 
(402) and the (public) Internet (404). The destination 
Web System (405) also connects the Internet (the Web 
System is for instance a WEB Server, a FTP Server, or 25 
any system attached to the Internet that can be ac- 
cessed from the Intranet). 

[0052] Each Proxy Server (403) stores In a local 
cache a local copy of the HTTP (and possibly FTP) data 
retrieved from WEB systems located on the Internet by 30 
workstations located on the Intranet. 
[0053] The end user workstation (401) comprises a 
software program called WEB Browser (406). The WEB 
Browser is configured to access WEB systems located 
on the Internet, through a Proxy Server (403). ^5 
[0054] When the WEB Browser wants to retrieve HT- 
TP data (for instance a WEB page) from a destination 
WEB system (405), the end user workstation sends 
(408) an IP Datagram comprising a request to retrieve 
said HTTP data to a destination Proxy Server on the In- 40 
tranet network. IP Routers within the Intranet receive the 
IP Datagram and route it (409) towards its destination. 
Each IP Router determine the next hop within the Intran- 
et, using the Destination IP Address field In the IP Dat- 
agram Header ^5 
[0055] When the Proxy Server receives from the 
workstation a request to retrieve HTTP data (a WEB 
page) located on a destination WEB system (a WEB 
server), the requested HTTP data is either already lo- 
cated in the local cache, or is not located in the local 50 
cache: 

• If the requested HTTP data is already located in the 
cache, the HTTP Proxy Server immediately an- 
swers (41 2) the request with a response comprising 55 
the data in the cache. 

• If the requested HTTP data is not located in the 
cache, the HTTP Proxy Server forwards (410) the 



request to the destination WEB system (the WEB 
sen/er). When the HTTP Proxy Server receives a 
response (411) comprising the HTTP data (the 
WEB page) from the destination WEB system (the 
WEB Server), said HTTP data (the WEB page) are 
locally cached, and forwarded (412) to the origina- 
tor system (the WEB Browser). 

[0056] The workstation can also comprise a Socks 
Client software in order to get access to WEB systems 
located on the Internet. In this case, said access is done 
through Socks Servers systems instead of being done 
through Proxy Servers. 

IP ROUTER SYSTEM 

[0057] The present invention relates to a system and 
method for policing the WEB traffic within the Intranet. 
Figure 5 is a view of a particular embodiment of the sys- 
tem used for policing the WEB traffic according to the 
present invention. 

[0058] An end user workstation (a source device) 
(501 ) comprising a Web Browser is connected to the In- 
tranet (502). Multiple Proxy Servers (503) are available 
to. access the WEB System (505) connected to the In- 
ternet (504). According to the present invention^ a sys- 
tem called ALP (Application Level Protocol) Policing 
Definition system (507) and located within the Intranet 
network is defined. This ALP Policing Definition system 
comprises tables called ALP Policing Definition tables 
(508). An ALP Policing Definition table is configured for 
each ALP traffic that needs to be policed within the In- 
tranet. Typically, one table is configured for each major 
WEB Application Level Protocols (such as HTTP, FTP, 
and Socks). The ALP Policing Definition table defined 
for each specific ALP, comprises information concerning 
the WEB traffic policy for said ALP In particular, each 
ALP Policing Definition table contains the list of author- 
ized Servers that must be used as destination of the IP 
Datagrams transporting data using said ALP. For in- 
stance, the ALP Policing Definition table configured for 
HTTP comprises information concerning the list of HT- 
TP Proxy Servers that must be used by workstations 
(source devices) within the Intranet to access Web Sys- 
tems located on the Internet. 

[0059] Two mirrored ALP Policing Definition systems 
can possibly be used in order to provide a backup to the 
ALP Policing Definition tables (using for instance a Dis- 
patcher system in front of the two systems). 
[0060] An IP Router system (506) within the Intranet 
is in charge of routing IP Datagrams. According to the 
present invention, said IP Router system is also in 
charge of policing the WEB traffic. It comprises: 

• an IP Routing component (509) for routing any IP 
Datagram within the Intranet. This IP Router com- 
ponent can be any existing IP Router. 

• a Web Traffic Policing Extension component (51 0), 
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WEB TRAFFIC POLICING EXTENSION 

[0061] The WEB Traffic Policing Extension provides 
a method for policing the WEB traffic, within the IP Rout- 
er system. The WEB Traffic Policing Extension is con- 
figured with an ALP Policing Configuration table (512). 
said table comprising information concerning the ALP 
Policing Definition tables (508). 
[0062] Once it is started, the WEB Traffic Policing Ex- 
tension Immediately starts a Policing Definition Builder 
component 

• (511) The Policing Definition Builder component 
uses the ALP Policing Configuration table (512) to 
retrieve the ALP Policing Definition tables (508) 
from the ALP Policing Definition system (507), and 
stores a local copy (508) of said tables within the IP 
Router system. 

[0063] When the IP Router System (506) receives 
(518) an IP Datagram from an end user workstation 
(501 ), this IP Datagram is forwarded to the WEB Traffic 
Policing Extension (510). The IP Datagram is then for- 
warded in sequence to a plurality of other components 
to perform the method according to the present inven- 
tion: 

• (513) a Traffic 4na/yser component analyses the 
IP Datagram and determines if said IP Datagram is 
originated from a source device (a workstation) or 
from a server (a Proxy Server). 

• (514) an Inbound Policing Wancf/er component 
handles each IP Datagram originated by a source 
device. The Inbound Policing Handler: 

• determines if said IP Datagram must be updat- 
ed, based on a Policing Connection table (516) 
and based on the Source IP address, Source 
Port, Destination IP address, and Destination 
Port fields of said IP Datagram, and 

• if said IP Datagram must be updated, updates 
the Destination IP Address and the Destination 
Port fields of said IP Datagram using informa- 
tion retrieved from said Policing Connection ta- 
ble (516). 

• (515) an Outbound Policing Handier component 
handles each IP Datagram originated by a server. 
The Outbound Policing Handler: 

• determines if said IP Datagram must be updat- 
ed, based on a Policing Connection table (51 6) 
and based on the Source IP address, Source 
Port, Destination IP address, and Destination 
Port fields of said IP Datagram, and 

• if said IP Datagram must be updated, updates 
the Source IP Address and the Source Port 



fields of said IP Datagram using information re- 
trieved from said Policing Connection table 
(516). 

5 • (517) a Policing Manager component handles 
each IP Datagram originated by a source device. 
The Policing Manager: 

• determines the ALP (Application Level Proto- 
10 col) of the data comprised within said IP Data- 
gram using the Destination Port field of said IP 
Datagram, 

• retrieves the policy information for said IP Dat- 
agram from the ALP Policing Definition table 

15 (508) (defined for the ALP of the data com- 

prised in said IP Datagram) using the Source 
IP address, Source Port, Destination IP ad- 
dress, and Destination Port fields of said IP Da- 
tagram. 

20 

• If required by said policy information: 

discards said IP Datagram, 
builds the Policing Connection table (51 6) with 
25 > the characteristics of the I P Datagram and with 
said policy information. 

• updates the Destination IP Address and the 
Destination Port fields of said IP Datagram us- 
ing said policy information. 

30 

The WEB Traffic Policing Extension finally for- 
wards the IP Datagram to the IP Router (509) com- 
ponent within the IP Router System. This IP Router 
component routes (519) the IP Datagram towards 

35 its destination. The invention is independent of the 
IP Router component and does not rely on the way 
the IP Datagram is handled and routed by this IP 
Router component 

The WEB Traffic Policing Extension can be en- 

40 abled or disabled on the IP Router system, by 
means for instance of a configuration parameter on 
said IP Router system. Typically, the WEB Traffic 
Policing Extension: 

45 • is enabled on access IP Router systems at the 
edge of the Intranet. 

is disabled on the IP Router systems located 
within the Intranet backbone. 

50 WEB TRAFFIC POLICING EXTENSION TABLES 

[0064] Figure 6 depicts the different tables used by 
the various components comprised within the WEB Traf- 
fic Policing Extension. 
55 [0065] The WEB Traffic Policing Extension uses con- 
figuration tables (508) comprising WEB traffic policy in- 
formation. There is one configuration table (508) for 
each ALP traffic that needs to be policed within the In- 
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tranet- Typically, one table is configured for each major 
WEB Application Level Protocol (such as HTTP, FTP, 
and Socks). Each configuration table is created (for in- 
stance by a Network Administrator) and stored within 
the ALP Policing Definition system (507) before starting 
the WEB Policing Traffic Extension. The WEB Policing 
Traffic Extension then retrieves and receives each ALP 
Policing Definition table from said ALP Policing Defini- 
tion system (507). 

• (506) ALP Policing Definition table. There is one 
table for each ALP traffic that needs to be policed 
by the WEB Traffic Policing Extension. Each table 
comprises for each source device (typically a work- 
station) within the Intranet or for each group of 
source devices (typically a group of workstations): 

• the address of the Server that should be used 
as destination of the IP Datagrams originated 
from said source device (or group of source de- 
vices) and comprising data using said ALP, and 

• an indication for discarding said IP Datagrams. 

[0066] The WEB Traffic Policing Extension also uses 
a configuration table (512) comprising information con- 
cerning each ALP Policing Definition table. This config- 
uration table is created (for instance by a Network Ad- 
ministrator) before the WEB Policing Traffic Extension 
is started. 

(601) ALP Policing Configuration table. This ta- 
ble comprises for each Application Level Protocol: 

• the address of the associated ALP Policing Def- 
inition table which comprises policing informa- 
tion for said ALP. and 

• the frequency for retrieving said ALP Policing 
Definition table. 

[0067] The other table is dynamically built and used 
by the WEB Traffic Policing Extension for internal pur- 
pose: 

(612) Policing Connection table. This table com- 
prises for each source device originating the WEB 
traffic policed by the WEB Traffic Policing Exten- 
sion: 

• the destination Server used in the IP Data- 
grams originated from said source device, and 

• the destination Server which is used as en- 
forced destination of said policed traffic. 

[0068] These three tables are detailed in Figure 6. 

ALP POLICING CONFIGURATION TABLE 

[0069] The ALP Policing Configuration table (601) (a 



flat file in a preferred embodiment) is created by the Net- 
■ work Administrator in charge of the Intranet. This table 
associates each Application Level Protocol with the ad- 
dress of the ALP Policing Definition table which com- 
5 prises policy information for said ALP traffic, and the fre- 
quency for retrieving said ALP Policing Definition table. 
The table comprises a list of records (602), each record 
comprising the following information: 

10 • (603) ALP (Application Level Protocol). There is 
one value for each Application Level protocol that 
needs to be policed by the WEB Traffic Policing Ex- 
tension. Typically, one record is defined for each of 
the main Web protocols including HTTP, FTP. and 

15 Socks. 

• (604) ALP_Policing_Definition_AMress. This is 
the address of the ALP Policing Definition table de- 
fined for each ALP (603), and which is located on 

20 the ALP Policing Definition system (507). This infor- 
mation is used by the WEB Traffic Policing Exten- 
sion to retrieve the ALP Policing Definition table 
(508) from the ALP Policing Definition system (507). 

25 • (605) Frequency. The WEB Traffic Policing Exten- 
sion waits a given period of time before retrieving a 
new version of the ALP Policing Definition table 
from the ALP Policing Definition system. The Fre- 
quency is used by the WEB Traffic Policing Exten- 

30 sion to periodically update the local copy of the ALP 
Policing Definition table. 

ALP POLICING DEFINITION TABLE 

35 [0070] Each ALP Policing Configuration table (606) (a 
flat file in a preferred embodiment) is created by the Net- 
work Administrator in charge of the Intranet. There is 
one table for each ALP traffic that needs to be policed 
by the WEB Traffic Policing Extension. Each table as- 

40 sociates each source device (typically a workstation) or 
group of source devices within the Intranet, with: 

• the address of the Server that should be used as 
the destination of IP Datagrams 

45 

• originated from said source device (or group of 
source devices) and 

• comprising data using said ALP, 

50 • an indication for discarding said IP Datagrams. 

[0071] The table contains a list of records (607), each 
record comprising the following information: 

55 . (608) Client JP^Address. This is the IP address of 
a source device (typically a workstation) within the 
Intranet, or a range of IP addresses associated to 
a group of source devices within the Intranet (for 
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instance all workstations located at a specific site). 
Typically, one record (607) is defined for each 
source device (or group of source devices) at the 
origin of the traffic the Network Administrator wants 
to police. 5 

• (609) ServerJP_AMress. This is the IP address 
of the Server system which must be used by the 
source device (608) (or group of source devices) for 
the ALP traffic it originates. The Server.! P_Address 
should be the destination IP address (311) of the IP io 
Datagrams: 

• sent by the source device (608), and 

• comprising TCP data (306) using the Applica- 
tion Level protocol associated with the table f5 
(606) (one table is defined for each ALP). 

[0072] For instance, the ALP Policing Definition table 
configured for HTTP comprises the list of HTTP Proxy 
Servers that must be used by the workstations within 20 
the Intranet to access Web Systems located on the In- 
ternet. The Server_IP_Address is then the IP address 
of the HTTP Proxy Server that should use the worksta- 
tion (608). 

25 

• (61 0) Server_Port. This is the Port number identi- 
fying the program (application) running on the Serv- 
er system identified by the Server„IP_Address 
(609), and which must be used to process the ALP 
traffic. Server_Port is the Port number that should 30 
be used as destination Port (313) for I P Datagrams: 

• sent by the source device (608), and 

• comprising TCP data (306) using the Applica- 
tion Level protocol associated to the table (606) 35 
(one table is defined for each ALP). 

[0073] For instance, the ALP Policing Definition table 
configured for HTTP comprises the list of HTTP Proxy 
Servers that should be used by the workstations within 40 
the Intranet to access Web Systems located on the In- 
ternet. The Server_Port is then the Port number (for in- 
stance 80) of the program running on the HTTP Proxy 
Servers to handle HTTP traffic. This Port number should 
then be used by the workstation (608) as destination 45 
port for HTTP traffic sent to the HTTP Proxy Server iden- 
tified by Server_IP_Address (609). 

(611) Enforce^Discard. This is an indication for 
discarding IP Datagrams originated by the source so 
device (608). The value of Enforce_Discard indica- 
tion can be "Yes" or "No": 



nation is not the Server system (609) must not 
be discarded by the WEB Traffic Policing Ex- 
tension. 

[0074] The table comprises a default record for all 
source devices which are not explicitly defined in a spe- 
cific record (607). 

POLICING CONNECTION TABLE 

[0075] The Policing Connection table (612) is an in- 
ternal table built by the Policing Manager component 
and used by the Inbound Policing Handler and the Out- 
bound Policing Handler components. This table is used 
to store for each source device which originates WEB 
traffic policed by the WEB Traffic Policing Extension: 

• the destination Server used by the tP Datagrams 
originated from said source device, and 

• the destination Server used as enforced destination 
for said policed traffic. 

[0076] The table contains a list of records (613), each 
record providing the following information: 

(e^4) Client_IP_Address. This is the IP address of 
the source device which originates traffic to police. 
ClientJP_Address contains the value of the Source 
IP address field (31 0) of IP Datagrams belonging to 
said traffic. 

• (615) Client^Port. This is the number of the Port 
identifying the program (the application) running on 
the source device originating the traffic to police 
(this application Is called the "source application") . 
Client_Port comprises the value of the Source Port 
field (312) of IP Datagrams belonging to said traffic. 

[0077] Typically, there is one record (613) for each 
system within the Intranet originating WEB traffic to po- 
lice. Each system is identified in a unique way by means 
of a source device (identified by Client_IP_Address 
(614)) and a source application (identified by 
Client_Port (615)). Each record (613) is then identified 
in a unique way by its Client_lP_Address (614) and its 
Client_Port (615). 

(616) DestJP_Address. This is the IP address of 
the Server system, destination of^the IP Datagrams 
originated by the source application identified by 
Client_Port (615) and running on the source device 
identified by Client_IP_Address (614). Dest_IP_ 
Address contains the value of the Destination IP ad- 
dress field (311) of said IP Datagrams. 

• (617) Dest_Port. This is the number of the Port 
identifying the program (the application) running on 
the Server system (616). destination of the IP Dat- 
agrams originated by the source application identi- 



• "Yes" means that the IP Datagram which des- 
tination is not the Sen/er system (609) must be 55 
discarded by the WEB Traffic Policing Exten- 
sion. 

• "No" means that the IP Datagram which desti- 
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fied by Client_Port (615) and running on the source 
device identified by Client_IP_Address (614). 

[0078] Dest.Port contains the value of the Destina- 
tion Port field (311 ) of said IP Datagrams. 

• (618) Server_IP_Address. This is the IP address 
of the Server system that must be the destination 
of the IP Datagrams originated by the source appli- 
cation identified by Client_Port (615) running on the 
source device identified by Client_tP_Address 
(614). ServerJP_Address is determined by the Po- 
licing Manager component using the ALP Policing 

V Definition tables. 

• (619) $erver_Port. This is the number of the Port 
identifying the program (the application) running on 
the sen^ersystem (616) that musfbe the destination 
of the IP Datagrams originated by the source appli- 
cation identified by Client_Port (615) running on the 
source device identified by Client_iP_Address 
(614). Server_Port is determined by the Policing 
Manager component using the ALP Policing Defini- 
tion tables. 

POLICING DEFINITION BUILDER 

[0079] The Policing Definition Builder component of 
the WEB Traffic Policing Extension is preferably a com- 
puter program running on the IP Router System. 
[0080] This component is in charge of: 

retrieving the ALP Policing Definition tables (606) 
from the ALP Policing Definition system (507), us- 
ing the ALP Policing Configuration table (601) 

• storing a local copy (508) of said tables within the 
IP Router system. 

[0081] The Policing Definition Builder component im- 
mediately starts when the WEB Traffic Policing Exten- 
sion starts. Figure 7 is a flow chart which refers to the 
internal logic of the Policing Definition Builder compo- 
nent. This component: 

• (701) retrieves all records from the ALP Policing 
Configuration table (601 , 705). 

• (702) for each record (ALP) (603) in the ALP Polic- 
ing Configuration table (705): 

• retrieves the ALP Policing Definition table (707) 
associated with the ALP (603) from the ALP Po- 
licing Definition system (706). Said table Is re- 
trieved using the ALP_Poiicing_ 
Definition_Address (604). Said table will be 
used by the WEB Traffic Policing Extension to 
police the traffic associated with said ALP 
(603), Preferably, the HTTP (or FTP) protocol 



is used to retrieve said table (the 
ALP_Policing_Definition_Address is used as 
URL). Encrypted protocols (such as Secure 
HTTP) can also be used. 

5 

• stores a local copy (508) of said retrieved ALP 
Policing Definition table within the network de- 
vice where the WEB Traffic Policing Extension 
is running. 

10 

• (703) builds a list (ALP_Policing_List) with the Ap- 
plication Level protocols recorded in the ALP Polic- 
ing Configuration table (705). Since there is one 
record (603) per ALP traffic which must be policed. 

15 ALP_Policing_List comprises the list of all ALPS 
(for instance HTTP, FTP. Socks) which must be po- 
liced by the WEB Traffic Policing Extension. 

• (704) waits for some amount of time, before looping 
20 back to (701 ) to retrieve again the ALP Policing Def- 
inition tables (707). This amount of time is deducted 
from the Frequency field (605) within the ALP Po- 
licing Configuration table (601 ). For instance, a Fre- 
quency (605) of 30 minutes in the record (602) de- 

25 fined for HTTP (603) indicates that the ALP Policing 
Definition table defined for HTTP will be retrieved 
every 30 minutes from the ALP Policing Definition 
system. This mechanism enables the Policing Def- 
inition Builder (hence the WEB Traffic Policing Ex- 

30 tension) to periodically retrieve and store updates 
of the ALP Policing Definition tables. 

[0082] Possibly, the ALP Policing Definition system 
(706) can register the Policing Definition Builder in order 
35 to automatically send it updates of the ALP Policing Def- 
inition tables. 

TRAFFIC ANALYSER 

40 [0083] The Traffic Analyser component of the WEB 
Traffic Policing Extension is preferably a computer pro- 
gram running on the IP Router System. This component 
is in charge of: 

45 • determining if each received IP Datagram is origi- 
nated from a source device (typically a workstation) 
or from a server system (typically a Proxy Sender). 

[0084] Figure 8 is a flow chart which refers to the in- 
50 ternal logic of the Traffic Analyser component. This com- 
ponent: 

• (801 ) retrieves an IP Datagram (the incoming IP Da- 
tagram). ^ 

55 

• (802) gets ALP_Policing_List from the Policing Def- 
inition Builder. ALP_Policing_List comprises the list 
of all ALPS (for instance HTTP, FTP, Socks) which 
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must be policed by the WEB Traffic Policing Exten- 
sion. 

• (803) retrieves from the IP Datagram, information 
related to the ALP used by the data (303) comprised 
within said IP Datagram. 

• DT_Dest_Port = Destination Port field (313) (in 
TCP Header (305) of said IP Datagram) 
DT_Source_Port = Source Port field (312) (in 
TCP Header (305) of said IP Datagram) 

(804) tests whether or not the IP Datagram is orig- 
inated from a source device and comprises data 
that uses an. ALP which must be policed. If 
DT_Dest_Port is listed in ALP_Policing_List. then 
the IP Datagram is originated from a source device 
and comprises data (303) that uses an ALP traffic 
which must be policed. 

If DT_Dest_Port is listed in ALP_Policing_List 

(805) calls Inbound Policing Handler 

• If DT_Dest_Port is not listed in ALP_ 
Poltcing„List 

• (806) tests whether or not the IP Datagram is 
originated from a Server system and comprises 
data that uses an ALP which must be policed. 

[0085] If DT_Source_Port is listed in ALP_ 
Policing_List, then the IP Datagram is originated from a 
Server system and comprises data (303) that uses an 
ALP traffic which must be policed. 

• If DT_Source_Port is listed in ALP_Policing_List 

• (807) calls Outbound Policing Handler 

• If DT_Source_Port is not listed in ALP_ 
Policing_List Then the IP Datagram does not 
comprise data which uses an ALP that must be 
policed. 

• (808) forwards the IP Datagram to the I P Router 
component 

• (809) exits the WEB Traffic Policing Extension, 
and waits for the next IP Datagram. 

INBOUND POLICING HANDLER 

[0086] The Inbound Policing Handler component of 
the WEB Traffic Policing Extension is preferably a com- 
puter program running on the IP Router System. This 
component handles each IP Datagram originated by a 



source device, and is in charge of : 

determining if said IP Datagram must be updated, 
based on a Policing Connection table (612) and 
5 based on the Source IP address. Source Port, Des- 
tination IP address, and Destination Port fields of 
said IP Datagram, and 

• if said IP Datagram must be updated, updating the 
Destination IP Address and the Destination Port 

10 fields of said IP Datagram using information re- 
trieved from said Policing Connection table (612). 

[0087] Figure 9 is a flow chart which refers to the in- 
ternal logic of the Inbound Policing Handler component. 
15 This component: 

• (901) retrieves one IP Datagr 

(902) retrieves all records of the Policing Connec- 
20 tion table (903) 

• (904) retrieves from the IP Datagram, information 
indicating the source and the destination of said IP 
Datagram: 

25 

• DT„Source__IP_Address = Source IP Address 
(310) (in IP Header (302) of said IP Datagram) 

• DT_Dest_IP_Address = Destination IP Ad- 
dress field (311) (in IP Header (302) of said IP 

30 Datagram) 

• (905) finds in the Policing Connection table (903) a 
record (613) identified by (four conditions): 

35 . Client_IP_Address (614) = DT_Source_IP_ 
Address 

• Client_Port (61 5) = DT_Source_Port 

• Dest_IP_Address (616) = DT_Dest_ 
IP_Address 

40 • Dest_Port (61 7) = DT_Dest_Port 

• If there is no record satisfying said four conditions- 
Then the IP Datagram belongs to a connection 
which is not yet defined within the Policing Connec- 
ts tion table. 

(911 ) calls the Policing Manager component. 

If there is a record (called "record_R") satisfying 
50 said four conditions: . 

[0088] Then the IP Datagram belongs to a connection 
which is already defined within. the Policing Connection 
table. 

55 

• (906) retrieves from *'record_R" the information in- 
dicating which Server system is the destination 
Server system of the IP Datagram: 
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• Server_l P_Address (6 1 8) 

• Server_Port (619). 

• (907) updates the IP Datagram with information 
identifying said destination Server system: 5 

• Destination tP address field (311) in IP Header 
(302) = Server_IP_Address (61 8) 

• Destination Port field (313) in TCP Header 
(305) = Server_Port (61 9) io 

[0089] This enforces the IP Datagram to be sent to 
the destination server system (618) which is defined in 
the WEB traffic policy. The values of checksum fields 
comprised in the IP Datagram (for instance the Header '5 
Checksum in the IP Header) are updated accordingly. 

• (908) maintains the Policing Connection table (908) 
and in particular removes from the Policing Connec- 
tion table (908) records belonging to closed connec- 
tions. Closed connections are detected for instance 
using the FIN and ACK indications in the TCP Head- 
er. Optionally, a connection is considered closed af- 
ter a certain period of time without IP Datagram on 
that connection (this timer value can be for instance 25 
a configuration parameter of the WEB Traffic Polic- 
ing Extension). Any other existing algorithm to de- 
tect closed or half closed (for instance when one 
extremity of the connection has abnormally termi- 
nated) TCP connections can also be used to re- 3o 
move such connections from the table, 

• (909) f onwards the updated IP Datagram to the IP 
Router component. The updated IP Datagram is 
then sent to the Server system defined in the WEB 35 
traffic policy. 

• (910) exits the WEB Traffic Policing Extension, and 
waits for the next IP Datagram. 

40 

POLICING MANAGER 

[0090] The Policing Manager component of the WEB 
Traffic Policing Extension is preferably a computer pro- 
gram running on the IP Router System. This component ^5 
handles each IP Datagram originated by a source de- 
vice. It is in charge of: 

• determining the ALP (Application Level Protocol) of 

the data comprised within said IP Datagram using so 
the Destination Port field of said IP Datagram, 

• retrieving some policy information related to said IP 
Datagram from the ALP Policing Definition table 
(508) defined for the ALP of the data comprised in 
said IP Datagram, using the Source IP address, 55 
Source Port, Destination IP address, and Destina- 
tion Port fields of said IP Datagram. 

• If required by said policy information: 



• discarding said IP Datagram. 

• building the Policing Connection table (612) 
with the characteristics of the IP Datagram and 
with said policy information. 

• updating the Destination IP Address and the 
Destination Port fields of said IP Datagram us- 
ing said policy information. 

[0091] Figure 1 0 is a flow chart which refers to the in- 
ternal logic of the Policing Manager component. This 
component: 

• (1 001 ) retrieves one IP Datagram. 

• (1002) selects the ALP Policing Definition table, 
which must be used for policing the IP Datagram. 
Said table is associated with the ALP used by the 
data comprised within the IP Datagram. Said ALP 
is equal to the DT_Dest„Port. For instance, if the IP 
Datagram comprises data using HTTP, then the se- 
lected table is the ALP Policing Definition table as- 
sociated with the HTTP protocol. 

(1003) retrieves from said selected ALP Policing 
Definition table (1004), the record (called 
"record_P") associated with the IP Datagram. Said 
record is identified by: 

• Client_IP_Address (608) = DT_Source_IP_ 
Address (Client_IP_Address is a specific I P Ad- 
dress identifying one source device), or 

• Client_IP_Address (608) comprises DT_ 
Source_IP_Address (Client_IP_Address is an 
IP Address range identifying one group of 
source devices), 

• (1 005) tests whether the IP Datagram must be po- 
liced. The IP Datagram must be policed when the 
destination system is not the Server system which 
should be used. The test uses some policy informa- 
tion retrieved from "record_P". If (both conditions): 

• DT_Dest_IP_Address = Server_IP_Address 
(609), and 

• DT_Dest_Port = Server_Port (610) then the 
destination of the IP Datagram is the Server 
system which must be used, and therefore the 
IP Datagram does not need to be policed. Oth- 
erwise, the IP Datagram must be policed. 

If the IP Datagram does not need to be policed: 

• (1012) forwards the IP Datagram to the IP Router 
component. The IP Datagram will then be sent to 
the Server system which has been correctly set by 
the source device. No WEB traffic policy is en- 
forced. 
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• (1013) exits the WEB Traffic Policing Extension, 
and waits for the next IP Datagram. 

• If the IP Datagram must be policed: 

5 

• (1006) tests whether or not the IP Datagram 
must be discarded. The IP Datagram must be 
discarded if Enforce_Discard (611) = "Yes" in 
"record_P". 

10 

• If the IP Datagram must be discarded: 

• (1007): discards the IP Datagram 

• (1013) exits the WEB Traffic Policing Exten- i5 
sion, and waits for the next IP Datagram. 

• If the IP Datagram must not be discarded: 

• (1008) creates a new record (613) in the Polic- 
ing Connection table (1009) for the connection 
of the IP Datagram: 

• Client_IP_Address = DT_Source_IP_Address 

• Client_Port_Address = DT_Port_Address ^5 

• Dest_IP_Address = DT_Dest_IP_Address 

• Dest_Port = DT_Dest_Port 

• Server_IP_Address = S e rver_ I P_ Address 
(609) (from "record_P") 

• Server„Port = Server_Port (610) (from 30 
"record_P") . 

• (1010) updates the IP Datagram with information 
identifying the destination Server system that must 

be used: 35 

• Destination IP address field (311) in IP Header 
(302) = Server_IP„Address (609) 

• Destination Port field (313) in TCP Header 
(305) = Server_Port (610) 40 

[O092] This enforces the IP Datagram to be sent to 
the destination Server system (609) defined in the WEB 
traffic policy. The values of checksum fields comprised 
in the IP Datagram (for instance the Header Checksum 45 
in the IP Header) are updated accordingly. 

• (1011) maintains the Policing Connection table 
(908) and in particular removes from the Policing 
Connection table (908) records belonging to closed so 
connections. Closed connections are detected for 
instance using the FIN and ACK indications in the 
TCP Header. Optionally, a connection is considered 
closed after a certain period of time without IP Da- 
tagram on that connection (this timer value can be 55 
for instance a configuration parameter of the WEB 
Traffic Policing Extension). Any other existing algo- 
rithm to detect closed or half closed (for instance 



when one extremity of the connection has abnor- 
mally terminated) TCP connections can also be 
used to remove such connections from the table. 

• (1012) forwards the updated IP Datagram to the IP 
Router component. The updated IP Datagram is 
then sent to the Server system defined in the WEB 
traffic policy. 

(1013) exits the WEB Traffic Policing Extension, 
and waits for the next IP Datagram. 

OUTBOUND POLICING HANDLER 

[0093] The Outbound Policing Handler component of 
the WEB Traffic Policing Extension is preferably a com- 
puter program running on the IP Router System. This 
component handles each IP Datagram originated by a 
Server system. It is in charge of 

• determining if said IP Datagram must be updated, 
based on a Policing Connection table (612) and 
based on the Source IP address, Source Port, Des- 
tination IP address, and Destination Port fields of 
said IP Datagram, and 

• if said IP Datagram must be updated, updating the 
Source IP Address and the Source Port fields of 
said IP Datagram using information retrieved from 
said Policing Connection table (612). 

[0094] Figure 1 1 is a flow chart which refers to the in- 
ternal logic of the Outbound Policing Handler compo- 
nent. This component: 

• (1101) retrieves one IP Datagram. 

• (1 1 02) retrieves all records of the Policing Connec- 
tion table (1103) 

• (1 104) retrieves from the IP Datagram, information 
indicating the source and the destination of said IP 
Datagram: 

• DT_Source_IP_Address = Source IP Address 
(310) (in IP Header (302) of said IP Datagram) 

• DT_Dest_lP_Address = Destination IP Ad- 
dress field (311) (in IP Header (302) of said IP 
Datagram) 

(1 1 05) finds in the Policing Connection table ( 1 1 03) 
one record (613) identified by (four conditions): 

Client_IP_Address (614) = DT_Dest_ 
IP_Address 

• Client_Port (61 5) ^ DT_Dest_Port 

• Server_IP_Address (618) = DT_Source_IP_ 
Address 

• Sen/er_Port (619) = DT_Source_Port 
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• If there is no record satisfying said four condi- 
tions, then tlie IP Datagram belongs to a con- 
nection which is not defined within the Policing 
Connection table. There is therefore no WEB 
traffic policing required for the IP Datagram. 

• ( 11 09) forwards the I P Datagram to the I P Rout- 
er component. 

(1110) exits the WEB Traffic Policing Extension, 
and waits for the next IP Datagram. 

• If there is a record (called "record_R") satisfying 
said four conditions, then the IP Datagram be- 
longs to a i connection which is already defined 
within the Policing Connection table. 

• (1106) retrieves from "record_R" information indi- 
cating the destination system of the IP Datagram 
originated from the source device: 

• Dest_IP_Address (61 6) 

• Dest_Port (617) 

• (1107) updates the IP Datagram with information 
identifying said destination system: 

• Source IP address field (310) in IP Header 
(302) = DestJP_Address (616). 

• Source Port field (312) in TCP Header (305) = 
Dest_Port (617). 

[0095] This way. the IP Datagram appears as being 
sent by the system (616) which is destination of the IP 
Datagrams originated by the source device (614). The 
values of checksum fields comprised In the IP Datagram 
(for instance the Header Checksum in the IP Header) 
are updated accordingly. 

• (1108) maintains the Policing Connection table 
(1103) and in particular 

removes from the Policing Connection table (908) 
records associated with closed connections. Closed 
connections are detected for instance using the FIN and 
ACK indications in the TCP Header. Optionally, a con- 
nection is considered closed after a certain period of 
time without IP Datagram on that connection (this timer 
value can be for instance a configuration parameter of 
the WEB Traffic Policing Extension). Any other existing 
algorithm to detect closed or half closed (for instance 
when one extremity of the connection has abnormally 
terminated) TCP connections can also be used to re- 
move such connections from the table. 

• (1109) forwards the updated IP Datagram to the IP 
Router The updated IP Datagram Is then sent to 
the server system which has been defined in the 
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WEB traffic policy. 

• (1110) exits the WEB Traffic Policing Extension, and 
waits for the next IP Datagram. 

5 

ADVANTAGES 

[0096] The present inventions provides the following 
advantages 

10 

• The WEB traffic policy is defined at one central lo- 
cation (the ALP Policing Definition system), and 
does not have to be configured on multiple network 
devices or workstations. 

15 

• Updates related to the WEB traffic policy can be pe- 
riodically retrieved by network devices comprising 
the WEB Traffic Policing Extension . For instance, a 
new Proxy Server may be setup for a group of 

20 source devices in order to provide a better WEB ac- 
cess service. Because it periodically retrieves the 
WEB traffic policy updates, the WEBTraffic Policing 
Extension is then able to enforce towards said new 
Proxy Server the traffic originated by said group of 

25 source devices. 

• Updates of the WEB traffic policy can be automati- 
cally received by network devices comprising the 
WEB Traffic Policing Extension. For instance, a new 

30 Proxy Server may be set-up for a group of source 
devices in order to provide a better WEB access 
service. Because it automatically receives the WEB 
traffic policy updates, the WEB Traffic Policing Ex- 
tension is then able to enforce towards said new 

35 Proxy Server the traffic originated by said group of 
source devices. 

• The WEB traffic policy enforces WEB traffic origi- 
nated by end user workstations to use predefined 

40 servers within the Intranet even when the end user 
workstations are not correctly configured. Since the 
WEB traffic policing is done within the Intranet (by 
the WEBTraffic Policing Extension), an error in the 
configuration of an end user workstation can be cor- 

45 rected. For instance, a workstation located in Tou- 
louse (France) may be configured to send HTTP 
traffic to an HTTP Proxy Server located in Paris. The 
WEB Traffic Policing Extension can direct said traf- 
fic to a closer HTTP Proxy Server (for instance an 

50 HTTP Proxy Server located in Toulouse). 

• The network resources within the Intranet are opti- 
mized. For instance, the specifications and there- 
fore the cost of Proxy Servers is related to the 

55 number of source devices which will access it. A 
Proxy Server which will be accessed by 500 source 
devices will be smaller and therefore cheaper than 
a Proxy Server which will be accessed by 10000 
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source devices. 

• The performance of the WEB access service is im- 
proved. For instance, when a Proxy Server is set- 
up in France, it is configured to provide WEB access 5 
service to a specified number of source devices in 
France. When more source devices (for instance 
source devices located in Belgium) than expected 
are accessing said Proxy Sen/er, the performance 

of said Proxy server may be degraded with an im- io 
pact on the performance of the WEB access serv- 
ice. The WEB traffic policy ensures that the servers 
are not accessed by unexpected source devices. 

• The utilization of network resources is optimized. In '5 
particular, bandwidth within the Intranet is saved. 
For instance, when a source device located in 
France wants to access a WEB system through a 
Proxy Server, said source device will use a Proxy 
server located in France instead of any other Proxy 20 
Server (for instance a Proxy Server located in Ja- 
pan). The path within the Intranet to reach the Proxy 
Server is minimized (the utilization of network re- 
sources and the required bandwidth between 
France and Japan are also minimized) . ^5 

• There is no impact nor dependency on the end user 
workstation. No specific software is required on end 
user workstations. 

30 

[0097] While the invention has been particularly 
shown and described with reference to a preferred em- 
bodiment, it will be understood that various changes in 
form and detail may be made therein without departing 
from the spirit, and scope of the invention. In particular 35 
the present invention is not limited to WEB traffic han- 
dled by Proxy Servers, but relates to any IP traffic 
(Socks. FTP, HTTP,...) handled by any Server in the In- 
tranet (Socks Servers, FTP Servers, WEB Servers,...). 



Claims 

1 . A method, in a network device, of enforcing the dis- 
patching of Internet Protocol (IP) datagrams on a ^5 
plurality of servers (503) according to a defined pol- 
icy, each IP datagram being sent from a source port 
on a source device to a destination port on a desti- 
nation device in an Intranet network (502) compris- 
ing a plurality of servers (503) and at least one client so 
(501), said method comprising the steps of: 

• determining (804, 806) whether the source de- 
vice of an incoming IP datagram is a client (501 ) 
or a server (503); 55 

If (805) the source device of the IP datagram is a 
client (501): 



• identifying (803. 904): 

• client address (310). 

• client port (312). 

• destination address (311), 

• destination port (313), 

of the IP Datagram (301); 

• searching (906) for a server address and a 
server port in a first table (612). said first table 
comprising a server address (61 8) and a server 
port (617) for each connection (613) identified 
by a client address (614), a client port (615). a 
destination address (616) and a destination 
port (61 7); if a server address and a server port 
are identified in said first table, and If said serv- 
er address and the destination address are dif- 
ferent or if said server port and the destination 
port are different: 

• replacing (907) the destination address (311) 
and the destination port (313) in the IP data- 
gram respectively by the server address (618) 
and the server port (619); 

• sending (909) the IP datagram over the IP net- 
work (502). 

2. A method according to the preceding claim com- 
prising the further steps of: 

if the server address and the destination address 
are identical and if the server port and the destina- 
tion port are identical: 

• maintaining the destination address (311) and 
the destination port (313) in the IP datagram; 

• sending the IP datagram over the IP network 
(502). 

3. The method according to any one of the preceding 
claims comprising the further steps of: 

If (807) the source device of the IP datagram is a 
server (503): 

• identifying (803. 1104): 

• server address (310), 

• server port (312), 

• client address (311), 

• client port (313). 

of the IP Datagram (301); 

• searching (1 1 06) for a destination address and 
a destination port in said first table (612), said 
first table comprising a destination address 



18 



BNSDOCID: <EP 1094649A2_I_> 



35 



EP 1 094 649 A2 



36 



(616) and a destination port (617) for each con- 
nection (613) identified by a server address 
(618), a serverport (619). aclient address (614) 
and aclient port (615); 

if a destination address and a destination port are 
identified in said firstjable, and if the server address 
and the destination address are different or if the 
server port and the destination port are different: 

• replacing (1107) the server address (310) and 
the serverport (312) in the IP datagram respec- 
tively by the destination address (616) and the 
destination port (617); 

• sending (il09)the IP datagram over the iPnet- 
work (502). 

A method according to the preceding claim wherein 
if a destination address and a destination port are 
not identified in said first tabie, or if the server ad- 
dress and the destination address are identical and 
if the server port and the destination port are iden- 
tical: 

• maintaining the server address (310) and the 
server port (312) in the IP datagram; 

• sending the IP datagram over the IP network 
(502). 

The method according to any one of the preceding 
claims wherein said IP datagram comprises a 
Source IP Address field (310) and a Destination IP 
Address field (311) in an IP header (302) for identi- 
fying the source device and the destination device, 
and a Source Port Address field (312) and a Desti- 
nation Port Address field (313) in a Transmission 
Control Protocol (TCP) header (305) for identifying 
the source port and the destination port on said 
source device and destination device. 

The method according to any one of the preceding 
claims wherein the step of determining (804. 806) 
whether the source device of the incoming IP data- 
gram is a client (501) or a server (503) comprises 
the further step of: 
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step of searching (905) for a server address and a 
server port in a first table (612), comprises the fur- 
ther steps of: if (911 ) a server address and a server 
port are not identified in said first table (612) for the 
client address (614), the client port (615), the des- 
tination address (616) and the destination port 
(617). 

• identifying (1 002) the application level protocol 
used by data transported in the IP datagram; 

• determining (1003) a server address and a 
server port referring to a second table (606). 
said second table (606) comprising for the iden- 
tified application level protocol, a server ad- 
dress (609) and a server port (61 0) for each cli- 
ent or group of clients identified by a client ad- 
dress (608) or range of client addresses; 

if (1 005) the destination address (311) and the serv- 
er address (609) are different or if the destination 
port (313) and the serverport (610) are different: 

• creating (1 008) a new record in said first table 
(612) comprising: 

• the client address (310. 608, 614); 

• the client port (311, 615); 

• the destination address (312, 61 6): 

• the destination port (313, 617); 

• the server address (609, 61 8); 

• the server port (610, 619). 

The method according to any one of the preceding 
claims wherein the IP datagram transports data us- 
ing an application level protocol and wherein said 
step of determining (906) a server address and a 
serverport referring to a first table (612), comprises 
the further steps of: 

if a server address and a server port are not identi- 
fied in said first table (612) for the client address 
(614), the client port (615), the destination address 
(616) and the destination port (617), 

• identifying (1 002) the application level protocol 
used by data transported in the IP datagram; 
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• determining if the value of the Destination Port 
field (313) comprised in the IP datagram is 
equal to the value of a destination port on a 
server (503) or if the value of the Source Port 
field (312) comprised in the IP datagram is 
equal to the value of a source port on a server 
(503). 

The method according to any one of the preceding 
claims'wherein the IP datagram transports data us- 
ing an application level protocol and wherein said 



50 



55 



• determining (1003) a server address and a 
server port referring to a second table (606), 
said second table (606) comprising for the iden- 
tified application level protocol, a server ad- 
dress (609) and a server port (61 0) for each cli- 
ent or group of clients identified by a client ad- 
dress (608) or range of client addresses; 

if (1005) the destination address (311) and the serv- 
er address (609) are different or if the destination 
port (313) and the server port (610) are different: 
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• identifying an indication for discarding the IP 
datagram in said second table (606), said sec- 
ond table (606) comprising for the identified ap- 
plication level protocol, an indication (611) for 
discarding IP datagrams for each client or 
group of clients identified by a client address 
(608) or range of client addresses; 

if (1 006) the indication (611) for discading the I P da- 
tagram is set: 

• discarding (1007) the IP datagram; 

if the indication (611) for discarding the I P datagram 
is not set: 

• creating (1008) a new record in said first table 
(612) comprising: 

• the client address (310, 608, 614); 

• the client port (311, 615); 

• the destination address (312. 616); 
the destination port (313, 617); 

• the server address (609. 618); 

• the server port (61 0, 61 9). 

9. The method according to any one of the preceding 
claims comprising the further step of: 

• configuring said second table (606). said sec- 
ond table comprising one table for each sup- 
ported application level protocol. 

10. The method according to any one of the preceding 
claims w/herein the step of configuring said second 
table (606) comprises the step of: 

• retrieving (702) a portion or the totality of said 
second table (506) from one or a plurality of 
server systems (507) within the IP network 
(502). 



totality of said second table (606) referring to a 
third table (601). 

13. The method according to any one of the preceding 
5 claims wherein the step of configuring said second 

table (606) comprises the step of: 

• receiving a portion or the totality of said second 
table from said one or plurality of server sys- 

10 terns (507) within the network. 

14. The method according to any one of the preceding 
claims wherein the step of configuring said second 
table comprises the step of: 

15 

• receiving updates of said second table from 
said one or plurality of server systems (507) 
within the network. 

20 15. The method according to any one of the preceding 
claims wherein the step of configuring said second 
table comprises the step of: 

locally storing said second table (606) and/or 
25 updates of said second table (606) within the 

network device (506). 

16. The method according to any one of the preceding 
claims wherein said plurality of servers are proxy 

30 servers (503). 

17. A network device, in particular a router (506). com- 
prising means adapted for carrying out the method 
according to any one of the preceding claims. 

35 

18. A computer readable medium comprising instruc- 
tions for carrying out the method according to any 
one of claims 1 to 16. 

40 



1 1 . The method according to any one of the preceding 
claims wherein the step of configuring said second 
table comprises the step of: 



• retrieving updates of said second table (606) 
from said one or plurality of server systems 
(507) within the network. 

12. The method according to any one of the preceding 
claims wherein the steps of 
retrieving a portion or the totality of said second ta- 
ble (606) and retrieving updates of said second ta- 
ble (606) comprise the further step of: 

• determining address of said one or plurality of 
server systems (507) storing a portion or the 
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